To protect a PC or network against unauthorized intrusion (hackers), firewalls are used to control all communication. More and more companies and private users install firewalls in order to protect their network. Firewalls do not know all communication protocols on the Internet, so it is necessary with a proxy to let certain protocols through the firewalls. This is in particular the case when the networks are NATed (Network Address Translation, i.e. private addresses are used on the LAN segment). The firewalls today do not handle real-time data well. With the increased usage of such as IP telephony and real-time online games there is a demand for applications that let such traffic through firewalls in a secure way.
There are many different proposals for solutions within this area, however, currently no good solutions exist and no one seems to be on the way.
Some of these solutions are mentioned in the following.                a) Open up for all ports over 1024 to all computers behind the FW. This will work if NAT is not enabled though to a high price due to that hackers from the outside can easily attack all computers behind the FW on all ports over 1024.        b) Use real-time proxies located in the FW's DMZ. The drawback is that operators or corporate personnel etc. have to buy install and configure software for every real-time application someone behind the FW would like to use.        c) Make use of firewall control protocols. Several groups work on standardizing protocols that allow client applications to open and close ports on the FW among others:                    The MIDCOM group (Middlebox Communication) is an IETF group standardizing such protocols. Their goal is to evaluate different proposals and use the best one as the official standard.            An FCP (Firewall Control Protocol) is developed by Netscreen and Dynamicsoft.            Another FCP protocol is being developed by Netscreen, Dynamicsoft, Microsoft and Checkpoint. This protocol might be the one adopted by MIDCOM. However, standardizing is extremely slow. The background is probably three-parted:                            (i) All such solutions require key and certificate distribution to everybody opening and closing FW ports. This is a huge problem and the reason why Internet payments solutions aren't widely deployed.                (ii) A security hole is opened.                (iii) Many of the big firewall vendors do not want to introduce such solutions, partly because of the two reasons mentioned above. Another reason is probably that their business case in this case is threatened. The FW logic is then partly moved from the FW to the FW clients making the FW thinner.                                    Microsoft has initiated a protocol called UPnP (Universal Plug and Play), which is supported by many PC periphery vendors. This protocol has the same drawbacks as mentioned above. Though, if used in combination with proprietary signalling and only allowing clients on the inside to open up ports, it might get some marked penetration. Corporations and ISPs will, however, never use it due to reduced security.            SOCKS is a protocol that has existed for a long time and can be used for FW traversal. The problems with this protocol as well as the previous one, UPnP, are as described in connection with the FCP protocol developed by Netscreen, Dynamicsoft, Microsoft and Checkpoint.            STUN requires that the FWs must open for UDP traffic from the inside to the outside as well as that responses on the same message must be opened for from the outside to the inside. None of these are common practice to open for in the FW.                        d) Separate real-time and data networks. The drawback is that it is expensive to set up and maintain two separate networks instead of one.        